{ pkgs , config , ... }: let ldap = pkgs.writeTextFile { name = "ldap.toml"; text = '' [[servers]] host = "ldap.cloonar.com" port = 636 bind_dn = "cn=grafana,ou=system,ou=users,dc=cloonar,dc=com" bind_password = "$__file{/run/secrets/grafana-ldap-password}" search_filter = "(&(objectClass=cloonarUser)(|(mail=%s)(uid=%s)))" search_base_dns = ["ou=users,dc=cloonar,dc=com"] [servers.attributes] name = "givenName" surname = "sn" username = "uid" email = "mail" ''; }; in { services.grafana = { enable = true; settings = { analytics.reporting_enabled = false; "auth.ldap".enabled = true; "auth.ldap".config_file = toString ldap; "auth.anonymous".enabled = true; "auth.anonymous".org_name = "Main Org."; "auth.anonymous".org_role = "Viewer"; server = { root_url = "https://grafana.cloonar.com"; domain = "grafana.cloonar.com"; enforce_domain = true; enable_gzip = true; http_addr = "0.0.0.0"; http_port = 3001; }; smtp = { enabled = true; host = "mail.cloonar.com:587"; user = "grafana@cloonar.com"; password = "$__file{${config.sops.secrets.grafana-ldap-password.path}}"; fromAddress = "grafana@cloonar.com"; }; database = { type = "postgres"; name = "grafana"; host = "/run/postgresql"; user = "grafana"; }; security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}"; }; }; services.nginx.virtualHosts."grafana.cloonar.com" = { forceSSL = true; enableACME = true; acmeRoot = null; locations."/".extraConfig = "proxy_pass http://localhost:3001;"; }; services.postgresql.ensureUsers = [ { name = "grafana"; ensurePermissions = { "DATABASE \"grafana\"" = "ALL PRIVILEGES"; "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; }; } ]; services.postgresql.ensureDatabases = [ "grafana" ]; services.postgresqlBackup.databases = [ "grafana" ]; sops.secrets = { grafana-admin-password.owner = "grafana"; grafana-ldap-password.owner = "grafana"; }; }